California Data Breach Law Lacks Reimbursement Requirement

SACRAMENTO, Calif. -- The data breach law that the California legislature has passed and sent to the governor does not include a requirement that retailers who experience a data breach reimburse card issuers for the costs of replacing the compromised cards, according to a California credit union lobbyist.

"That was probably the most significant compromise we had to to make to give the bill the greatest chance of passage and being signed into law," explained Elissa Ameluxen, state legislative and regulatory lobbyist for the California Credit Union League.

Credit unions in California and around the country have sought laws that mandate such reimbursement, arguing that without them retailers lack incentives to change their data protection practices.

But Ameluxen said the bill's backers hoped that the increased public notification requirements in the bill will serve as an incentives for retailers to protect card data. Under the bill's requirements, retailers and government agencies that experience the card data breaches would have to tell consumers both where the breach happened and roughly the time frame the breach took place.